Create signed Windows binaries
What does this MR do?
This MR takes care of signing the Windows binaries: gitlab-runner-helper.x86_64-windows.exe, gitlab-runner-windows-amd64.exe and gitlab-runner-windows-386.exe.
Why was this MR needed?
See #2483. Basically this is necessary to mitigate a possible attack vector where it is currently easy to tamper with/replace our Windows executables without the user's knowledge.
Are there points in the code the reviewer needs to double check?
The current state is using a self-signed certificate, and a local env variable containing the certificate export password. We'll need to replace the files referenced by WINDOWS_CODE_SIGN_KEY_PATH/WINDOWS_CODE_SIGN_CERT_PATH and move WINDOWS_CODE_SIGN_PASSWORD to the CI environment variables.
This MR creates a new CI build image tag in order to pre-install the osslsigncode tool.
NOTE: I guess we could refactor the new jobs to extend binaries windows/386 windows/amd64 and helper images and moving the signing script to after_script, instead of using needs. However this might make it easier to break the job by tightly coupling the two. WDYT?
Does this MR meet the acceptance criteria?
-
Documentation created/updated -
Added tests for this feature/bug -
In case of conflicts with master- branch was rebased